Skip to content

Introduction

Background

The financial system is a complex network of participants from different environments and shared technologies, with a large volume of information flowing through the network. It includes all types of entities, information, technologies, rules and standards that enable financial intermediation. Efficient, safe and reliable infrastructure enables entities and others to expand their offering of financial services to the broader economy. Within this context, there are highly sophisticated cyber threat actors who target the most vulnerable links in this network, and so it is critical that entities r educe their vulnerabilities at every point and strengthen their overall resilience. This requires diverse, layered approaches, solutions and tools. Intelligence-led red team testing is one such tool to help entities test and enhance their protection, detection and response capabilities.

TIBER-EU enables authorities to work with entities under their responsibility to put in place a programme for testing and improving their resilience against sophisticated cyber attacks.

For the purposes of the TIBER-EU framework, “entities” means:

payment systems, central securities depositories, central counterparty clearing houses, trade repositories, credit rating agencies, stock exchanges, securities settlement platforms, banks, payment institutions, insurance companies, asset management companies and any other service providers deemed critical for the functioning of the financial sector.

Purpose of this framework document

This framework document provides an overview of how TIBER-EU will be implemented across the EU. It explains the key phases, activities, deliverables and interactions involved in a TIBER-EU test. This document is not a detailed prescriptive method, but an overarching framework which should be complemented with other relevant TIBER-EU materials (as set out in Annex III).

Who is this framework document for?

This framework document is aimed at:

  • authorities responsible for the adoption, implementation and management of the TIBER-EU framework at national and European levels;
  • entities looking to undertake TIBER-EU tests;
  • supervisors and overseers of those entities;
  • organisations interested in providing cyber threat intelligence services under TIBER-EU;
  • organisations interested in providing red team testing services under TIBER- EU.

Although the TIBER-EU framework is aimed at the financial sector, it can be applied by other sectors and industries for testing other types of entities.

What is TIBER-EU?

TIBER-EU is a common framework that delivers a controlled, bespoke, intelligence- led red team test of entities’ critical live production systems.

The aims of TIBER-EU are as follows: to improve the protection, detection and response capabilities of entities; to enhance the resilience of the financial sector; and to provide assurance to the authorities about the cyber resilience capabilities of the entities under their responsibility.

A common framework...

As the appetite grows for different jurisdictions to develop national intelligence-led red teaming frameworks, there is a risk that incompatible frameworks could emerge which could lead to an unnecessary duplication of effort. Multiple frameworks potentially represent a substantial burden for entities (financial and otherwise). They also give rise to the risk of unnecessarily exposing sensitive information, and may additionally lead to inconsistent results.

TIBER-EU therefore has the following core objectives:

  • enhance the cyber resilience of the entities, and the financial sector more generally;
  • standardise and harmonise the way entities perform intelligence-led red team tests across the EU, while also allowing each jurisdiction a degree of flexibility to adapt the framework according to its specificities;
  • provide guidance to authorities on how they might establish, implement and manage this form of testing at a national and European level;
  • support cross-border, cross-jurisdictional intelligence-led red team testing for multinational entities;
  • enable supervisory and/or oversight equivalence discussions where authorities seek to rely on each other’s assessments carried out using TIBER-EU, thereby reducing the regulatory burden on entities and fostering mutual recognition of tests across the EU;
  • create the protocol for cross-authority/border collaboration, result sharing and analysis.

... with national implementation...

The TIBER-EU framework acts as a central hub. Each jurisdiction can adopt the framework at a national or European level, applying it in a manner which suits its specificities. If the framework is adopted at a national or European level, there should be an accompanying national (TIBER-XX) or European (TIBER-EU YY) Implementation Guide, with XX representing the two-letter ISO 3166-1 country code and YY the European authority. This is shown in the following diagram:

TIBER-EU framework and national/European implementation guides

TIBER-EU framework and national/European implementation guides

The framework offers a level of flexibility which allows for national implementations to accommodate a wide range of institutional set-ups, legal mandates and market structures. Some authorities may implement this framework from an oversight and/or supervisory perspective, while others may choose to implement the framework from a financial stability perspective.

... developed with input from the industry

To develop TIBER-EU, authorities have:

  • consulted with entities to elicit support and to take advice;
  • engaged with the red team providers (RT providers) in the EU to develop a scheme that is sympathetic to the concerns raised by the financial services industry and the risks associated with testing critical technology assets;
  • engaged with the threat intelligence providers (TI providers) in the EU to seek their advice and establish good practices, which will facilitate the provision of intelligence required to identify current threat actors engaged in attacks against critical EU entities;
  • worked closely with jurisdictions12 which have already developed, or are developing, similar intelligence-led ethical red teaming frameworks.

This collaboration has formed the basis for defining the TIBER-EU framework, which, with the support of the financial industry, puts in place measures to provide confidence that targeted tests can be conducted on critical technology assets while minimising risk. The TIBER-EU framework harnesses the threat intelligence and threat scenarios from the TI providers to develop a Red Team Test Plan which is executed by red team testing companies.

Why intelligence-led red team testing?

Penetration tests have provided a detailed and useful assessment of technical and configuration vulnerabilities, often within isolation of a single system or environment. However, they do not assess the full scenario of a targeted attack against an entire entity (including the complete scope of its people, processes and technologies).

To provide an appropriate level of assurance that key financial services assets and systems are protected against technically competent, resourced and persistent adversary attacks, the level and sophistication of testing must be increased and the testers must be armed with up-to-date and specific threat intelligence.

Intelligence-led red team tests mimic the tactics, techniques and procedures (TTPs) of advanced threat actors who are perceived by threat intelligence as posing a genuine threat to entities.

An intelligence-led red team test involves the use of a variety of techniques to simulate an attack – either by malicious outsiders or by staff – on an entity’s information security arrangements (i.e. its people, processes and technologies). The test helps an entity to assess its protection, detection and response capabilities.

The idea of TIBER-EU is to:

  • bring together the best available governmental and/or commercial threat intelligence, tailored to the business model and operations of a particular entity, to set up credible scenarios mimicking the key potential attackers and the attack types they would deploy;
  • use this intelligence to enable ethical red team testers to simulate more accurately real-life attacks from competent adversaries on the live production systems of the entity.

TIBER-EU tests are to be performed without the knowledge of the target entity’s security or response capability (i.e. Blue Team, BT). Only a small group from the entity, referred to as the White Team (W T), knows about the test. This is to ensure that the test can assess how effectively the target entity is able to protect its critical systems, and how effectively it can detect and respond to attacks.

Given the nature of a TIBER-EU test and the critical nature of the live production systems and other connected environments being tested, the framework sets out a number of risk management activities to ensure a controlled test.

Additional information

Any further enquiries about TIBER-EU should be directed to TIBER- EU@ecb.europa.eu.

  1. See Financial sector continuity. In respect of CBEST see also creative commons. 

  2. See DNB publishes TIBER ethical hacking guide for financial core payment institutions.